On 21 January 2019, the French Data Protection Authority (the ‘CNIL’) fined Google EUR 50 million for infringement of the GDPR. Though this decision only concerned user data, given the unprecedented amount of the fine, it should be considered a warning to all companies to ensure that their personal data management practices, including on HR matters, are GDPR compliant.
The Authority based the investigation on two complaints that arrived immediately after the entry into force of GDPR on May 25, 2018.
The CNIL has examined the complained data processing operations and found two types of infringement.
• Violation of the obligation to have a legal basis for advert personalization processing:
The CNIL observed that the information on the data processing activities provided to users was neither easily accessible nor always clear or comprehensive. Essential information required to sufficiently inform data subjects of storage purposes, periods or categories of personal data used for ads personalization was spread across various documents.
• Violation of the obligation to have a legal basis for advert personalization processing:
Google relied on data subjects’ consent to process data for ad personalization purposes. However, the Authority found that this agreement did not constitute specific, informed and unambiguous consent for the data subjects, because they had to ‘agree’ to Google’s entire privacy policy and terms and conditions in order to access the its products. The CNIL concluded that the data subjects’ consent was not freely given, because they had not been sufficiently informed due to the use of multiple documents and the unclear depiction of the services and websites that would be involved in the ad personalization section.
Further, the CNIL noted that before creating a Google account, each user was asked to agree to the company’s terms of service and privacy policy, which he or she could only amend at a later time by going into ‘more options’ and de-selecting ad personalization.
This is the first time that the CNIL has applied the new sanction limits provided by the GDPR since its entry into force on 25 May 2018. In imposing the fine, the Authority took into account the serious breach of the main principles of the GDPR, according to which the maximum amount to be imposed could be EUR 20 million or 4 % of the company’s global annual turnover. The factors taken into consideration in the Authority’s decision whether to impose a fine or its amount, were the fact that Google’s violations were not one-off incidents or limited in time, but rather continuous breaches of the GDPR, and that their data process cover a wide range of data subjects. Lastly, the CNIL pointed out that as the company’s business model was partly based on ad personalization, Google had all the more reason to ensure that it complied with its GDPR obligations.
The fines serve as a lesson for employers that they need to ensure that the information provided to applicants and employees on the processing of their personal data is clear, unambiguous and easily accessible.
